This rule ensures that the default security group in every VPC restricts all traffic.
Rule | Ensure the default security group of every VPC restricts all traffic |
Framework | cis_v130 |
Severity | ✔ High |
Rule Description:
The rule states that the default security group of every Virtual Private Cloud (VPC) should have all traffic restricted according to the CIS AWS Foundations Benchmark version 1.3.0 (cis_v130).
Details:
The default security group is automatically created for each VPC in Amazon Web Services (AWS). It is applied to all instances within the VPC that do not have any explicitly assigned security groups. To meet this rule, the default security group should have inbound and outbound rules that restrict all traffic, conforming to the requirements of the CIS AWS Foundations Benchmark version 1.3.0.
Troubleshooting Steps:
If the default security group does not restrict all traffic as per the CIS benchmark, you can follow the troubleshooting steps below:
Necessary Code:
In order to restrict all traffic in the default security group, you need to modify the inbound and outbound rules. Here is an example of AWS CLI commands to update the default security group:
aws ec2 revoke-security-group-ingress --group-id <default-security-group-id> --protocol all --source-security-group Name=default
aws ec2 revoke-security-group-egress --group-id <default-security-group-id> --protocol all --destination-security-group Name=default
Note: Replace
<default-security-group-id>
with the actual ID of the default security group in your VPC.Remediation Steps:
Follow the step-by-step guide below to remediate the default security group to comply with the CIS benchmark:
By following these steps and using the provided AWS CLI commands, you can ensure that the default security group of every VPC restricts all traffic as required by the CIS AWS Foundations Benchmark version 1.3.0 (cis_v130).